fix: move CORS allowed origins to env variable

adityapichikala · adityapichikala · commit 4e6247151d6d · 2026-05-24T15:26:10.000+05:30
- Replace hardcoded allowedOrigins array with ALLOWED_ORIGINS env var
- Add backend/.env.example documenting all required env vars
- Prevents production URLs from leaking into source control
- Ensures proper CSRF protection with credentials: true
diff --git a/backend/.env.example b/backend/.env.example
@@ -0,0 +1,14 @@
+# Server
+PORT=5000
+NODE_ENV=development
+
+# MongoDB
+MONGO_URI=mongodb://127.0.0.1:27017/github_tracker
+
+# Session
+SESSION_SECRET=your_session_secret_here
+
+# CORS — comma-separated list of allowed frontend origins
+# In production, set this to your actual frontend URL(s).
+# If not set, defaults to http://localhost:5173
+ALLOWED_ORIGINS=http://localhost:5173
diff --git a/backend/server.js b/backend/server.js
@@ -13,13 +13,18 @@ const logger = require('./logger');
 
 const app = express();
 
-// CORS configuration
-const allowedOrigins = ['http://localhost:5173', 'https://github-spy.etlify.app'];
+// CORS configuration — allowed origins are read from the ALLOWED_ORIGINS env var
+// (comma-separated). Falls back to localhost for local development.
+const allowedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim())
+    : ['http://localhost:5173'];
+
 app.use(cors({
     origin: function (origin, callback) {
+        // Allow requests with no origin (e.g. server-to-server, curl, mobile apps)
         if (!origin || allowedOrigins.indexOf(origin) !== -1) {
             callback(null, true);
-        } else{
+        } else {
             callback(new Error('Blocked by CORS policy'));
         }
     },
